
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                           IBM Tivoli Storage Manager
                                  [TSRT-06-14]

December 11, 2006 19:00 GMT                                       Number R-069
______________________________________________________________________________
PROBLEM:       These vulnerabilities allow attackers to execute arbitrary code 
               on vulnerable installations of IBM Tivoli Storage Manager. 
               Authentication is not required to exploit these 
               vulnerabilities. 
PLATFORM:      Tivoli Storage Manager <5.2.9 
               Tivoli Storage Manager <5.3.4 
DAMAGE:        Could allow remote attackers to cause a denial of service and 
               possibly execute arbitrary code. 
SOLUTION:      Apply current patches. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Could allow a remote attacker to gain root 
ASSESSMENT:    privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/r-069.shtml 
 ORIGINAL BULLETIN:  http://www.tippingpoint.com/security/advisories/TSRT-06-14.html 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5855 
______________________________________________________________________________
[***** Start TSRT-06-14 *****]

TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities
December 4th, 2006

CVE ID:

CVE-2006-5855
Affected Vendor:

IBM
Affected Products:

Tivoli Storage Manager <5.2.9
Tivoli Storage Manager <5.3.4
TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4248. For further product information on the TippingPoint IPS:

   http://www.tippingpoint.com
Vulnerability Details:

These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager. Authentication is not required to exploit these vulnerabilities.

The specific flaws are similar and exist in the processing of messages by the Tivoli Storage Manager service, bound on TCP port 1500. The messages are structured in the form [index][size]. The 'index' field specifies an integer offset into the body of the message for a specific field, and the 'size' field specifies the size of the indexed field.

As no validation is done on the index fields, an attacker can force the service to look beyond the end of the packet, often landing in unallocated memory and resulting in a denial of service.

The size fields are often checked to ensure they do not exceed the bounds of the destination buffers that data is being copied to. However, we have found the following four instances where the size files are left unchecked:

Overflow 1
The initial sign-on request contains a field to specify the language. In normal cases seen, this string is "dscenu.txt". Typically the server will validate that the language string is no longer than 0x100 bytes. However, if the first byte of the language string is 0x18, this check will not occur, and a fixed sized buffer will be overrun.

Overflows 2 and 3
There is an overflow vulnerability in messages processed by the SmExecuteWdsfSession function. There are two fields in this request, both are copied into fixed sized buffers, without any validation of their lengths.

Overflow 4
There is an overflow in the open registration message due to an unchecked copy into a fixed size buffer for the contact field of the registration.

All four of the above detailed overflows can lead to arbitrary code execution under the context of the Tivoli service.
Vendor Response:

IBM has issued an update to correct this vulnerability. More details can be found at:

    http://www-1.ibm.com/support/docview.wss?uid=swg21250261
Disclosure Timeline:
2006.04.03 	Digital Vaccine released to TippingPoint customers
2006.05.09 	Vulnerability reported to vendor
2006.12.04 	Coordinated public release of advisory

Credit:

This vulnerability was discovered by the TippingPoint Security Research Team. 

[***** End TSRT-06-14 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of TippingPoint for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

R-059: texinfo Buffer Overflow
R-060: libgsf Buffer Overflow
R-061: HTTP Requests in Sun Java System Server(s)
R-062: proftpd Several Vulnerabilities
R-063: Vulnerability in Microsoft Word
R-064: GnuPG Security Update
R-065: Google Mini and Google Search Appliance Vulnerable
R-066: Adobe Download Manager Vulnerability
R-067: l2tpns Buffer Overflow
R-068: Microsoft Windows Media Player